Over eight apps were found to exploit user permission to steal 'millions of dollars'

Highlights

Google has removed one Cheetah Mobile and one Kika Tech app

Kika Keyboard and CM File Manager are no longer listed on Google Play

Google will take additional action as investigation is still not complete

It was reported last week that eight apps on Google Play with more than two billion downloads have been exploiting user permissions to steal "millions of dollars". Seven of these apps are from Cheetah Mobile, a Chinese Internet company, while the other one has been developed by Kika Tech, another Chinese firm. After internal investigation, Google has reportedly confirmed that it has removed two of the apps from the list- CM File Manager and Kika Keyboard.

The tech giant told BuzzFeed News that these two apps contain code used that can execute ad fraud techniques like click injection and click flooding. "We take these allegations very seriously and our Google Play Developer policies prohibit deceptive and malicious behaviour on our platform. If an app violates our policies, we take action," Google told the publication.

The report states that according to app analytics firm AppBrain, CM File Manager and Kika Keyboard together have been downloaded more than 250 million times. The Kika Keyboard app was on the top spot on the Play Store in the top keyboard app list, and Cheetah Mobile is said to be the largest developers in the Android ecosystem.

Out of the list, Battery Doctor and CM Launcher apps were also removed by Cheetah Mobile last week itself. The company has issued several statements ever since the news broke out last week, and it seems to shift the blame onto third party SDKs installed in its apps. Furthermore, it even threatened to take legal action against Kochava, the app analytics and attribution company that first found malicious behaviour within these eight apps. The latest statement even alleged that "Kochava's testing methods contained fundamental mistakes, leading to a number of false or misleading conclusions."

Dismissing Cheetah Mobile's claim of third party SDKs causing click injections, in the report, Google says it found native code within these two apps that was used for install attribution abuse. The tech giant further states that investigation is still underway and it will take additional action.

The other apps developed by Cheetah include CM Launcher 3D, Security Master, CM Locker, and Cheetah Keyboard, and we strongly recommend users to not download any of these apps, or uninstall them if they exist on your Android device, until full investigation by Google is completed.

Tasneem AkolawalaEmail Tasneem
When not expelling tech wisdom, Tasneem feeds on good stories that strike on all those emotional chords. She loves road trips, a good laugh, and interesting people. She ... More